Ask Moov Beta
Generative AI is experimental and can make mistakes.
Guides Use cases
SDKs & UIs
API Changelog
  1. API reference
  2. Authentication
  3. Access tokens

Create an access token

Use the client_id and client_secret to generate an access token.
POST
/oauth2/token
cURL cURL 
curl --request POST \
  --url https://api.moov.io/oauth2/token \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH' \
  --header 'content-type: application/json' \
  --data '{"grant_type":"client_credentials","client_id":"5clTR_MdVrrkgxw2","client_secret":"dNC-hg7sVm22jc3g_Eogtyu0_1Mqh_4-","scope":"/accounts.write","refresh_token":"i1qxz68gu50zp4i8ceyxqogmq7y0yienm52351c6..."}'
curl --request POST \
  --url https://api.moov.io/oauth2/token \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=5clTR_MdVrrkgxw2 \
  --data client_secret=dNC-hg7sVm22jc3g_Eogtyu0_1Mqh_4- \
  --data scope=%2Faccounts.write \
  --data refresh_token=i1qxz68gu50zp4i8ceyxqogmq7y0yienm52351c6...
200 400 429
Successfully exchanged the code to create a token
Possible responses that can be made to the /token endpoints. The type of response returned here will mirror the type of the request.
{
  "access_token": "i1qxz68gu50zp4i8ceyxqogmq7y0yienm52351c6...",
  "expires_in": 900,
  "refresh_token": "i1qxz68gu50zp4i8ceyxqogmq7y0yienm52351c6...",
  "scope": "/accounts.write",
  "token_type": "opaque"
}
Failure create token
{
  "error": "invalid_request"
}
Request was refused due to rate limiting.

Response headers

X-Retry-In

string <duration>
How long (in milliseconds) to wait until able to retry the request.

Body

application/json
Allows the use of Client Credentials Grant per the RFC 6749 of OAuth 2.0 Authorization Framework. Following this specification will allow any tooling to be able to use this API to get an access_token.

grant_type

string<enum> required
Possible values: client_credentials, refresh_token

client_id

string<byte>
If not specified in Authorization: Basic it can be specified here.

client_secret

string<byte>
If not specified in Authorization: Basic it can be specified here.

refresh_token

string<byte> <=4096 characters
String passed to the authorization server to gain access to the system.

scope

string
A space-delimited list of scopes that are allowed.

Response

application/json
Possible responses that can be made to the /token endpoints. The type of response returned here will mirror the type of the request.
Option 1
Device model

access_token

string<byte> <=4096 characters
String passed to the authorization server to gain access to the system.

expires_in

integer<int32>
Number of seconds the token is valid for.

refresh_token

string<byte> <=4096 characters
String passed to the authorization server to gain access to the system.

scope

string
A space-delimited list of scopes that are allowed.

token_type

string<enum>
Type of token returned. Opaque is not parse-able while JWT follows JWT spec.
Possible values: opaque, jwt